Heartbleed Bug Impact @ Boingo

We are still reviewing all of our systems to determine potential impact from the Heartbleed bug discovered earlier this week.

The good news is that our preliminary reviews show that most Boingo customers should be unaffected. This means that usernames, passwords and credit card information provided during signup and login should not have been exposed by Heartbleed.

The one group of customers who have been at risk include ones who have used the Boingo VPN service. As a precaution, we have taken this service offline and will bring it back up once we have updated the necessary components to eliminate the bug. For now, customers will be unable to use the Boingo VPN service. Once the patches are complete, we will send an update to all customers who have used the VPN service in the past, advising them to update their passwords.

Just for clarification, the Heartbleed bug means that the exploit existed in the server, but it does not mean that a hacker actually used the exploit to gain information. So even for services that were exposed, the likelihood that information was taken is relatively low. But since there is no way to know whether or not it has been exploited, being cautious is probably the best path forward.

We continue to research every aspect of our user-facing and internal systems to understand the full potential impact, and will update you with more information as we complete these reviews.

UPDATE: April 23 at 11:45 a.m. PT: As noted above, we took our VPN servers offline as soon as we learned that the SSL software on those servers was subject to the Heartbleed exploit. We have upgraded the SSL software, and the servers are now as good as new, without those pesky security flaws that make it possible for hackers to take something that didn’t belong to them.

On Saturday, April 12, we sent an email to our customers to educate them about Heartbleed. As media coverage has stated, simply because the bug was there doesn’t mean it was exploited, but since there is no way to know for sure, we recommended that our customers change their password if they have used our VPN service or logged in to a partner network in the last two years.